Plan Project Server 2007 authentication method
Updated: May 7, 2009
In this article:
This article covers planning for security in a Microsoft Office Project Server 2007 Enterprise Project Management (EPM) Solution. This material is useful for executives, managers, and system administrators who are responsible for planning the deployment of a Office Project Server 2007 EPM Solution.
The Office Project Server 2007 security model is based on the Windows security model, by which users and groups (security principals) are granted permission to access security objects. The Office Project Server 2007 security model is designed to enable you to control and manage access to projects, resources, and reports stored in the Office Project Server 2007 database; Office Project Web Access pages; and features that are available in Microsoft Office Project Professional 2007 and Office Project Web Access. In addition, the security architecture enables you to manage a large number of users and projects easily by assigning permissions to groups of users and unique categories. This reduces the number of times that you need to update permissions in Office Project Web Access.
Users can connect to Project Server in a number of ways:
Office Project Web Access client
Office Project Professional 2007 client
Microsoft Office Outlook 2007
When accessing Office Project Server 2007 by any one of these methods, there are two ways that a user can be authenticated to Office Project Server 2007: Windows authentication and forms authentication.
Windows authentication and forms authentication
Forms authentication is similar to the Office Project Server 2007 authentication mechanism provided in Project Server 2003 in that a user enters a user name and password. The main difference is that the forms authentication users and their passwords are stored in membership stores rather than in the Project Server database. Examples of these stores include Active Directory, an SQL database, and an LDAP store. Access to a membership store is enabled through a membership provider, and there are specific providers for each type of membership store.
Each Project Server Web application (which was called a "virtual server" in Project Server 2003) can have multiple authentication mechanisms, but each IIS Web site within that Project Server Web application can only be associated with one authentication model. For example, it would be possible to extend a Project Server Web application to include one Windows authentication IIS Web site and two forms authentication IIS Web sites, one using an LDAP store and the other Microsoft SQL Server. Because these IIS Web sites are part of the same Project Server Web application, they share the same content database. Therefore, the page content appears the same for users independent of which IIS Web site they access. Because they are separate IIS Web sites, the users need to access them on different port numbers. For example:
http://contoso/projectserver:80 Windows authentication
http://contoso/projectserver:81 Forms authentication (LDAP)
http://contoso/projectserver:8080 Forms authentication (SQL)
When creating an IIS Web site and associating a forms membership provider, you will see an option to select Anonymous Access. Project Server does not offer anonymous access and requires all users to have the Log On Global permission and be active users. Authority for forms authentication comes through Windows SharePoint Services 3.0. Certain situations call for anonymous access on SharePoint sites. If you are using Windows SharePoint Services 3.0 in situations that do not involve Office Project Server 2007, you might want to use Anonymous Access.
For more information about forms authentication and anonymous access, see Plan authentication methods [Windows SharePoint Services].
For more information about planning authentication settings for Web Applications, see Plan authentication settings for Web applications [Windows SharePoint Services].
For samples configuration settings for different forms authentication methods, see Authentication samples [Windows SharePoint Services].
When viewing the documents listed above, note that configuring for a Role Manager is not required for Office Project Server 2007. This is listed as an optional requirement.
Forms authentication and passwords
Settings for IIS Web sites, including passwords, can be stored in the configuration file for the site, named Web.config.
Users who authenticate to Office Project Web Access using forms authentication will find a link to Change Password on the Personal Settings page. However, if
enablePasswordReset is set to
false in Web.config, which is the default setting, then changing the password through the Office Project Web Access user interface is not possible. For more information on ASP.NET .config files and editing a Web.config file, see ASP.NET Configuration in the MSDN Library (http://go.microsoft.com/fwlink/?LinkId=73257). For more information about using Web.config with Windows SharePoint Services 3.0, see Config.xml file in the 2007 Office system.
Recommendations for determining user authentication methods
Consider the following general security guidelines when determining whether to choose Windows authentication only, forms authentication only, or mixed authentication:
If all users accessing the computer running Office Project Server 2007 already have (or can have) a Windows domain account, use only Windows authentication.
If users cannot have a Windows domain account, use forms authentication.
If some users need to access the computer running Office Project Server 2007 from the Internet but do not have a Windows domain account, use mixed authentication, and consider setting up unique sets of roles, permissions, and categories to separate internal-access users from external-access users.
Download this book
This topic is included in the following downloadable book for easier reading and printing:
See the full list of available books at Downloadable content for Project Server 2007.